Technology sometimes needs to reach a tipping point before governmental regulation catches up. The Federal Trade Commission (FTC) is trying to get ahead of the curve by issuing a privacy and security report on the Internet of Things (IoT), presented as a series of recommendations for makers of connected devices. The FTC wants to minimize security and privacy risks by reducing the amount of data that these devices collect, and making sure that these devices, or their makers, clearly indicate to users the amount and sort of data they’ll collect.

Thinkers, designers, and manufacturers continue to find new uses and potential for the IoT. In the future, our cars, home appliances, phones, watches, entertainment, and much more will likely all be connected. The report singles out health care as a potential beneficiary. Pacemakers, insulin pumps, and other life-saving devices connecting to the IoT could provide health care professionals with real-time updates about their users’ medical condition.

Big Data, Big Risks
No one questions this potential, but enabling and unlocking it requires sharing lots of data among these devices. The report estimates that, today, there are 25 million Internet-connected devices, and that number could rise to 50 billion by 2020. By that same year, the FTC believes 90 percent of cars could have Internet connections. By 2018, the report says, mobile devices could generate 15 exabytes bytes of worldwide data traffic per month. Because big numbers require context: that amount of data translates into roughly 750,000 years of DVD-quality video. Even that example is hard to fathom—it’s a lot of data.

Any device that transmits data may be tracked, any data transmitted may be intercepted, any device that stores data may be hacked, and even data collected legitimately may open up unintended consequences. To minimize these possibilities, the FTC recommends four options: no data collection, collection of no more data than is required for device functionality, collection only of less important data, or removal of user identity from collected data.

Minimizing Risk While Maximizing Benefit
Even some who participated in the creation of the report worry that “data minimization” could limit the potential benefit of new technologies, as companies might not be able to anticipate which data will provide the most—or unexpected—benefits. Others questioned whether users will actually use devices that require lengthy initial or frequent consent, hindering adoption of IoT devices.

The report’s discussions of data security are less interesting than its discussions of which data should be collected. The FTC recommends and assumes that companies will implement responsible security standards in line with existing industry best practices. But it makes the valid point that data that’s not collected can’t be at risk. Furthermore, it takes surprisingly few data points to identify individuals, even when the identifying data has been removed. The Commission also recognizes that, in some cases, providing notification and requiring user consent about collected data is unnecessary, depending on the context—whether consumers should reasonably expect that data to be collected.

To use the earlier pacemaker example — reasonable people would expect their pacemaker to report things like heart rate, so that kind of data collection should require no consent. However, data from a car that reports how often its driver goes through the fast food drive-through could be used to increase health insurance rates. Because users might not expect that kind of data sharing, the FTC believes it should require notification and authorization.

User Experience
One problem with this theory is that some devices, like pacemakers, don’t have a user interface that can inform the user about what data it collects and who it shares that data with. Some devices, like cars, do have suitable interfaces, but using it while driving could pose its own danger. The FTC report recognizes these challenges and offers suggestions, including QR codes, point-of-purchase disclosure, video tutorials, and other alternate methods of creating awareness.

It’s Not Law—For Now
For the time being, the FTC says its recommendations are just that. However, the same report recommends that Congress endorse online privacy practices, and President Obama’s push for the same, so device makers would be wise to assume that these recommendations could someday become law.

Photo Credit: Elif Ayiter/Flikr